Log z Gmera:
- Kod: Zaznacz wszystko
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 21:07:51
Windows 6.1.7600
Running: hmv029lo.exe; Driver: C:\Users\Hubert\AppData\Local\Temp\uwwoypob.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C27AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C27104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C273F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C102D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C271DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C27958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C276F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C27F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C281A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C798E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C993D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 90D61C9D 28 Bytes [44, 73, A8, 59, B9, 67, 20, ...]
.text peauth.sys 90D61CC1 28 Bytes [44, 73, A8, 59, B9, 67, 20, ...]
PAGE peauth.sys 90D6802C 102 Bytes [D0, 0B, 0A, 4D, 0C, 45, E1, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 90E48000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 90E48123 629 Bytes [35, E4, 90, FE, 05, 34, 35, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 90E48399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 90E483FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B 90E484AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1580] ntdll.dll!LdrLoadDll 775BF585 5 Bytes JMP 009813F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1580] kernel32.dll!LoadLibraryA 75F62884 5 Bytes JMP 01CF7CA9 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1580] kernel32.dll!LoadLibraryW 75F628D2 5 Bytes JMP 01CF7DA9 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1632] kernel32.dll!SetUnhandledExceptionFilter 75F63162 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Xfire\Xfire.exe[2452] kernel32.dll!CreateProcessA 75F12062 5 Bytes JMP 04A605B7 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] kernel32.dll!CreateThread 75F6281D 5 Bytes JMP 04A5FF5B C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] GDI32.dll!BitBlt 77747180 5 Bytes JMP 04A5F9D3 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!InvalidateRgn 75B18099 5 Bytes JMP 04A5FBB9 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!CreateDialogParamW 75B19BFF 5 Bytes JMP 04A600A6 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!GetCursorPos 75B1C198 5 Bytes JMP 04A5FCEF C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!SetFocus 75B1CBA9 5 Bytes JMP 04A5FA83 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!SetForegroundWindow 75B1D3AE 5 Bytes JMP 04A601F4 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!RegisterClassA 75B1E225 5 Bytes JMP 04A5FEC3 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!CreateWindowExW 75B20E51 5 Bytes JMP 04A6028C C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!SetWindowPos 75B23581 5 Bytes JMP 04A6014A C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!RedrawWindow 75B252A2 5 Bytes JMP 04A5FE22 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!IsWindowVisible 75B26939 7 Bytes JMP 04A60345 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!GetDC 75B27041 5 Bytes JMP 04A5F8A4 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!ReleaseDC 75B27055 5 Bytes JMP 04A5F938 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!BeginPaint 75B27B87 5 Bytes JMP 04A5F810 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!InvalidateRect 75B27BC9 5 Bytes JMP 04A5FB1B C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!TrackPopupMenu 75B44B3B 5 Bytes JMP 04A6050D C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!DialogBoxParamW 75B4564A 5 Bytes JMP 04A60002 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!SetCapture 75B46B2A 5 Bytes JMP 04A5FC57 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2452] USER32.dll!WindowFromPoint 75B46D0C 5 Bytes JMP 04A5FD87 C:\Program Files\Xfire\xfire_toucan_42127.dll (Xfire Toucan DLL/Xfire Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
---- Threads - GMER 1.0.15 ----
Thread System [4:1864] 90E55F2E
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011957dd384
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011957dd384@001edcdcf8e3 0x5A 0x53 0x4C 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x32 0xD0 0x0D 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011957dd384 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011957dd384@001edcdcf8e3 0x5A 0x53 0x4C 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x32 0xD0 0x0D 0x2F ...
---- EOF - GMER 1.0.15 ----
Log z OTL:
http://wklej.org/id/315453/